Global High-Tech Innovation

August 11, 2015

Insurance and Data Value

Several weeks ago I started a series of blog posts introducing five different types of data valuation business processes. The diagram below depicted each process:

During this series of posts I highlighted some of the research findings discovered by Dr. Jim Short (San Diego Supercomputer Center). Jim and I have been studying the industry as part of a joint research project. One interesting output of the research is the variety of ways valuation is currently occuring in the industry. For example, data valuation can occur....

In this post I'd like to focus on a fifth form of valuation: data insurance. This form of valuation is particularly interesting to me for two reasons:

It requires a 3rd party (the insurer) to perform a value assessment as well as a risk assessment.

IT infrastructure and related tools can play a large role in this form of valuation because of the relationship between risk assessment and data protection.

Dr. Short has performed interviews indicating that the data insurance market is growing quickly into a multi-billion dollar opportunity for insurers. There are many use cases to study in this field; I chose a local use case from a recent Boston Globe article that mentions an example of an insurer (Liberty Mutual) and insured (TJX).

The title of the article was More Firms Buying Insurance for Data Breaches. In addition to mentioning insurers like Liberty Mutual, it listed a number of companies that have undergone high profile breaches, such as Sony, TJX, Target, and South Shore Hospital. Specifically, the article stated the following:

When hackers broke into TJX Cos., the owner of TJ Maxx and Marshalls, and stole about 46 million customer credit and debit card numbers, the Framingham company estimated the breach would cost it at least $180 million. The breach of Sony Corp.’s video game online network in 2011 led to the theft of names, addresses, and credit card data belonging to about 100 million users. The hit to Sony: an estimated $171 million.

For TJX, an estimate of 180 million dollars on 46 million records means that each customer entry had a value of over $4 per record. If an insurer had come into the company before the breach and attempted to create a policy that would provide renumeration, how would the value be calculated? It's a difficult problem to solve, especially for breaches. The article also went on to quote Ponemon institute:

The average cost of a data theft in 2012 was $188 per customer account, according to a recent study by the Ponemon Institute, a Michigan-based independent research center focused on privacy and information security. While the mega-breaches tend to grab headlines, more common data losses involve fewer than 100,000 customer records. But even these smaller breaches can be costly, averaging $5.4 million in 2012.

Sales of Liberty Mutual cyber-insurance policies, according to the article, jumped 30 percent from 2013 to 2014.

This ongoing data valuation research is yielding a set of recommendations that suggest five strategies for corporations to Architect for Value.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

having been victimized by the Anthem data breach this article is very interesting to me. SSN and other private health information was stolen for hundreds of thousands of private citizens. We received many calls from businesses who seemed to know about our private health information. What can companies do to better to protect our private data? How can insurance companies put a price on identity theft? The disruption in our lives certainly had a monetary value of more than $4.00!

Great comment Marty and it brings up the topic of the economic value of data from a consumer standpoint vs a corporate standpoint. You are making the point that consumer value of data is significantly higher than the corporate value in some cases. The relationship between the two is worth studying.

Employer

Disclaimer

The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by DELL Technologies and does not necessarily reflect the views and opinions of DELL Technologies nor does it constitute any official communication of DELL Technologies.